Information
Both fragments and annotations give rise to security concerns. web.xml contains a metadata-complete attribute on the web-app element whose binary value defines whether other sources of metadata should be considered when deploying this web application, this includes annotations on class files (@WebServlet, but also @WebListener, @WebFilter, ...), web-fragment.xml as well as classes located in WEB-INF/classes. In addition, Tomcat could allow you to log the effective web.xml, when an application starts, and the effective web.xml is the result of taking the main web.xml for your application merging in all the fragments applying all the annotations. By logging that, you are able to review it, and see if that is in fact what you actually want.
Rationale:
Enable logEffectiveWebXml will allow you to log the effective web.xml and you are able to see if that is in fact what you actually want. Enable metadata-complete so that the web.xml is the only metadata considered.
Solution
Set the metadata-complete value in the web.xml in each of the applications to true.
Note: The metadata-complete option is not enough to disable all of annotation scanning. If there is a ServletContainerInitializer with a @HandlesTypes annotation, Tomcat has to scan your application for classes that use annotations or interfaces specified in that annotation.
Set the logEffectiveWebXml value in the context.xml in each of the application to true.
Default Value:
If logEffectiveWebXml and/or metadata-complete is/are not specified, the default value is false.
References:
https://tomcat.apache.org/tomcat-9.0-doc/config/context.html
https://alexismp.wordpress.com/2010/07/28/servlet-3-0-fragments-and-web-xml-to-rule-them-all/